Beruflich Dokumente
Kultur Dokumente
Isaac Foster
The purpose of this security policy is to inform and advise about the proper courses of
action or nonaction to maintain the security of this company, both physically and digitally. To
make sure there are the least possible security breaches, all employees no matter how high in
authority must follow every aspect of this policy in all regards. Although it may seem tedious, it
is vital to maintain every bit of security integrity possible to preserve this company and facility
for as long as possible, as well as protecting the sensitive and vital information that is stored
within our facilities. If any part of this policy is violated by an individual, immediate disciplinary
action will be enforced, and after repeated infractions of this policy’s statements, the violator
will be terminated and will relinquish all rights to information and design to this company, as
Software Support
To maintain security within the systems, all software must be fully and infallibly secure.
This security will be preserved by restricting the permissions of all users (besides IT and
administration) to not allow the downloading or execution of software from internet sources or
personal devices (external disks, USB drives, etc). Restricting these permissions will keep down
the likelihood of security breaches such as malware, viruses, worms, and other similar threats.
Not all users need administrative privileges, that’s why there is IT. In addition to not allowing
users to install whatever software they want, all software that needs to be installed or is being
possible security flaws in the software, and to make sure the listed functionality of the software
is true to it’s actual function as some software is designed to compromise the security of a
system.
documentation, or any other kinds of changes. Unauthorized changes could result in damaging
the security integrity of the system, and could then lead to much bigger problems in future
events. Configuration and changes applied to a networked system must consider what other
systems would be effected by the applied change (what would be the “domino effect” of the
change). After applying a change, small or large, it must be properly documented for later
referral and all systems must be checked and re-tested for security integrity after a large
change has been applied, and any changes in security must be documented as well as fixed
Backups
All files will be backed up bi-weekly to an off-site data storage facility which will adhere
to the entirety of this policy’s outlines. Every off-week when files are not being backed up, the
most recently backed up files will be tested for their usability to maintain the availability of
functional data in the event of a disaster. The most recent backups will be stored on a securely
encrypted cloud server to make them easier to access in the case of data loss, but will be
archived on physical tapes when new data is being stored onto the cloud server. There will be
very limited access to these files, only authorized IT workers and designated Disaster Recovery
Media Controls
Covered in media controls is the physical and digital protection of media and devices, as
well as providing security to mitigate the loss of confidentiality or accountability. The types of
Marking
One form of controlling media is physically labeling whatever the media is,
tagging it with vital information about the media device in the form of a barcode and possible
special handling instructions. Coloring the labels significantly aids in the organization of physical
drives and various media like the archived back up files. Properly trained individuals are
required for handling such media so it is correctly placed and handled carefully so that any vital
information is preserved.
Logging
devices. Using the barcodes for each device, anything can be checked out and logged under a
user’s name or identification number so that it is always recorded who has what device and
how long they’ve had it, as well as what their purpose is for checking out the device or other
hardware. Random checks will occur to make sure all checked out items are in the possession of
those who checked them out or are accounted for in the facility’s inventory, verifying that no
Integrity Verification
determine if the information is being read correctly and if the information has been subjected
notch priority. All information and media stored on-site will be secured at all times within a
multi-layered security building. Any and all media/information will be stored within multiple
security/bomb threat K-9 units stationed together at access points and patrolling the grounds
at all times. Off-site data and media will possess the same level of security, physical guards,
cameras covering every angle of the interior and exterior, three-step verification for personnel
attempting to enter (guard checking ID and clearance level, electronic badge-reader, and
biometric locks), etc. Finally, all physical media that is being transported between facilities shall
be accompanied by 2 unmarked guard vehicles as well as having guards riding with the sensitive
media.
Environmental Protection
damage to a device or other form of media, However, some devices are still needed or helpful
such as CDs, DVDs, and other such optical media are very vulnerable to temperature, liquid, or
dust damage, all of which can corrupt any and all data that is stored on that media. Special
handling and storage procedures will be followed to maintain the physical security of these
types of media.
Disposition
When media has to be disposed of, it is important to make sure that it is done so
properly so that information is not unintentionally put into unauthorized control. The only sure
way of doing so is destruction. Therefore, any and all media that is being purposefully erased
after being cleared by all higher levels of management and control, must be sanitized and
shredded (when applicable), then sent off to be disposed of through means of incineration.
Documentation
the most important aspects of maintaining security. Proper documentation prevents security
oversights and keeps track of anything and everything going on within the facility, providing
constant quality assurance for current and beginning employees so they know what they can be
doing to improve their work. Documenting everything makes it nearly impossible to lose data
without a way of finding how it was lost, as well as constantly enforcing consistency in all
aspects of one’s work. Other documentation includes security/contingency plans, risk analyses,
and security policies such as this. Every piece of documentation is another bit of work that no
one wants to do, but without it there would be no chance of having reliable ways to review
Maintenance
cleaned out and checked for updates, as well as replacing or upgrading any parts that have
passed their time of usefulness. These physical maintenance jobs fall to the IT department or to
a 3rd party contract where they will do periodic physical check-ups on each individual system to
make sure their performance level is not being negatively effected by any physical issues.
Another kind of issues that may arise are logical issues, which now only falls to IT. Logical issues
may include bugs, malware, adware, or any other kind of virus. An unauthorized individual
unintentionally mess something up and leave it that way which leaves a door wide open into
our network. Many systems come with pre-installed maintenance accounts that are meant to
be used for those purposes only, and they will stay that way by maintenance personnel
changing their passwords (must be complex, i.e. capital and lowercase, number(s) and special
character) so that unauthorized users cannot access these accounts. If this account is going to
be used remotely, then authentication data will have to be verified through multiple channels
Summary
While these policy’s may seem like a hassle to deal with, they are all put in place for the
safety and security of the employees as well as the safety and security of the information
stored in our facility. If all of these policy’s are adequately followed, there will be a large
amount of security breaches avoided simply by doing everything by the book, not taking any
Sources
Merkow, M. S., & Breithaupt, J. (2014). Information security: Principles and practices (2nd
ed.). Retrieved March 18, 2016, from
https://bookshelf.vitalsource.com/#/books/9781323249338/cfi/20!/4/2/4/2/2@0:0
Chapter 9